upatre | 3eea0077f8f68499fb9ba7828ad66d57989c2bad28ba3c3e72fc5cae6b6486b4

Analysis

max time kernel
119s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6063cbdd0a7d7dc05847caf620950ae0N.exe
Size

34KB
MD5

6063cbdd0a7d7dc05847caf620950ae0
SHA1

cdc81d24cedb72c3fb70a0f2ca2dd6ce0451bde1
SHA256

3eea0077f8f68499fb9ba7828ad66d57989c2bad28ba3c3e72fc5cae6b6486b4
SHA512

3b68a6c8bc1db30dda684460a4f9c66427b3ffb2f2114cdfdf817e40ec65ec313b27abbf1079f5f4350e575a8c2f628cc1a71be3a647b9bf0e5b769a6a3fa35f
SSDEEP

768:kf1Y9RRw/dUT6vurGd/pkUOyGAv+rh95k5V:GY9jw/dUT62rGdiUOWWrNmV

Score

10^/10

upatre discovery downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6063cbdd0a7d7dc05847caf620950ae0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	6063cbdd0a7d7dc05847caf620950ae0N.exe

Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid process

1244 szgfw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1244	szgfw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6063cbdd0a7d7dc05847caf620950ae0N.exeszgfw.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6063cbdd0a7d7dc05847caf620950ae0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szgfw.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6063cbdd0a7d7dc05847caf620950ae0N.exe

description	pid	process	target process
PID 1356 wrote to memory of 1244	1356	6063cbdd0a7d7dc05847caf620950ae0N.exe	szgfw.exe
PID 1356 wrote to memory of 1244	1356	6063cbdd0a7d7dc05847caf620950ae0N.exe	szgfw.exe
PID 1356 wrote to memory of 1244	1356	6063cbdd0a7d7dc05847caf620950ae0N.exe	szgfw.exe

C:\Users\Admin\AppData\Local\Temp\6063cbdd0a7d7dc05847caf620950ae0N.exe
"C:\Users\Admin\AppData\Local\Temp\6063cbdd0a7d7dc05847caf620950ae0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
34KB

MD5
892e815e11692954a6b8072b68d83cc6

SHA1
e01880ec046698119183a1cbfef0630c1011cac4

SHA256
44472283566d73c4fa07fb5be989c22e0213622fdb782b46380446e923b66332

SHA512
45f462f883533d9ef4af590bfe5a96d880193a1b6e5a1627092ac188906b3ea5b87ce0e660b6fc180b3d91103b6382190f8f683a2ff0dcf257a2013752ba4929

Download Submit
memory/1244-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1356-0-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1356-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download